RE: Access network resources from ASP.NET
From: Jim Cheshire [MSFT] (jamesche_at_online.microsoft.com)
Date: 10/23/03
- Previous message: Gilligan Joy: "Using ADSSecurity.DLL from an ASP.NET web service"
- In reply to: Dima Semensky: "Access network resources from ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 23 Oct 2003 17:57:24 GMT
Dima,
What you are doing is possible. What Mitch is talking about in his post is
delegation of credentials. Essentially, this means that if you are
browsing the site and using your credentials sent by the browser, those
same credentials cannot be used to access another resource on a machine
remote to the Web server. In that scenario, the Web server is delegating
your credentials, and such is prevented when using NTLM authentication. If
all of the boxes are using Windows 2000 or later, you can use Kerberos and
delegation to get around that.
However, what you really want to do is impersonate this user just to run a
certain section of code and to write to the network resource. In that
case, code-level impersonation using PInvoke to call LogonUser is the
perfect solution.
Here is an article that explains how to do that:
306158 INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/?id=306158
Jim Cheshire [MSFT]
Developer Support
ASP.NET
jamesche@online.microsoft.com
This post is provided as-is with no warranties and confers no rights.
--------------------
>From: "Dima Semensky" <dsemen@bellsouth.net>
>Subject: Access network resources from ASP.NET
>Date: Thu, 23 Oct 2003 10:55:28 -0400
>Lines: 34
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <O#lL0WXmDHA.708@TK2MSFTNGP10.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>NNTP-Posting-Host: 208.18.161.2
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
>Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:7296
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>Hi!
>
>after extensive research of this topic, I'm still not sure what is
>"official" way to do it.
>
>Task:
>
> 1. User submits some request to ASP.NET application and the app should
>write the result to a network share.
> 2. Integrated Authentication must be used
> 3. No open password are allowed to be specified in any config files
> 4. Can't assign special domain user as Local Administrator
>
>Problem:
>
> With default setup, it is not possible due to security reasons.
>
>Related topics:
> - impersonation
> - machine.config - processModel.userName
> - IUSR_MACHINE user
> - delagation
>
>Here is where I'm stuck: I'd like to use impersonation like this:
> <identity impersonate="true" userName="Bob" password="pwd" />
>
>but this topic explains that it's not possible:
>http://groups.google.com/groups?q=impersonate+Logon+failure:+unknown+user+n
ame+or+bad+password.++group:microsoft.public.dotnet.*&hl=en&lr=&ie=UTF-8&oe=
UTF-8&group=microsoft.public.dotnet.*&selm=uzT4T%23%23wCHA.2680%40TK2MSFTNGP
09&rnum=1
>
>Any ideas?
>
>Dima Semenskyy.
>
>
>
- Previous message: Gilligan Joy: "Using ADSSecurity.DLL from an ASP.NET web service"
- In reply to: Dima Semensky: "Access network resources from ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
